In this article we lay bare ISO 27001 Clause 7.5.2 Creating and Updating Documented Information. Exposing the insider trade secrets, giving you the templates that will save you hours of your life and showing you exactly what you need to do to satisfy it for ISO 27001 certification. We show you exactly what changed in the ISO27001:2022 update. I am Stuart Barker the ISO27001 Ninja and this is ISO27001 Clause 7.5.2
Table of contents
- What is ISO 27001 Clause 7.5.2 Creating And Updating Documented Information?
- What are the ISO27001:2022 Changes to Clause 7.5.2?
- ISO 27001 Clause 7.5.2 Definition
- How To comply with ISO 27001 Clause 7.5.2
- ISO 27001 Clause 7.5.2 Implementation Guide
- How do you demonstrate compliance to ISO 27001 clause 7.5.2?
- ISO 27001 Clause 7.5.2 Templates
- ISO 27001 Clause 7.5.2 FAQ
- ISO 27001 Certification Requirements
- See Also
What is ISO 27001 Clause 7.5.2 Creating And Updating Documented Information?
The ISO 27001 standard requires an organisation to document the information security management system, that the documentation is marked up with document markup and that documents are reviewed and approved.
It works on the premise that if it is not written down then it does not exist. Often the ISO 27001 certification is about the minutia of documentation rather than whether you are actually secure.
We are not here to defend it, rather to show you how to do it.
Hopefully saving you some time and money along the way.
As the ISO 27001 standard for ISO 27001 certification wants you to document pretty much everything and this approach, and how you do it, is very much in line with ISO 9001. It is one of the ISO 27001 controls.
What are the ISO27001:2022 Changes to Clause 7.5.2?
Great news. There are no changes to ISO 27001 Clause 7.5.2 in the 2022 update.
ISO 27001 Clause 7.5.2 Definition
The ISO 27001 standard defines clause 7.5.2 as:
When creating and updating documented information the organisation shall ensure appropriate:
a) identification and description (e.g. a title, date, author, or reference number)
b) format (e.g. language, software version, graphics) and media (e.g. paper, electronic); and
c) review and approval for suitability and adequacy.ISO 27001 Clause ISO 27001 Clause 7.5.2 Creating and Updating Documented Information
You get the idea. Without exception, everything needs documenting. Everything.
How To comply with ISO 27001 Clause 7.5.2
Time needed: 1 day.
How to comply with ISO 27001 Clause 7.5.2 Guide to Creating and Updating Documented Information
- Choose your document format
The simplest format for creating your documents is going to be Microsoft Office. It provides the most flexibility and the most options for exporting in different formats such as PDF. You can use any format you like, for example Google Docs, but decide up front what format your documents will be in.
- Build document templates
You will require document templates for each document type that you will create. This is typically Word processing, Spreadsheets, Presentations, Diagrams. We recommend creating a Microsoft Word template, a Microsoft Excel Template and a Microsoft Powerpoint template. Optionally considering buying the ISO 27001 Templates Toolkit that includes all the documents that you need that fully this requirement for document mark up. If you create your own ISO 27001 document templates then the ISO 27001 document templates should include the following steps.
- Add a title place holder
Every document requires a title so provide a place holder in your template for the document title.
- Add a date place holder
Every document requires a date so provide a place holder for the date the document was last amended in your document template.
- Add an author place holder
Every document requires an author so provide a place holder for the author of the document in your ISO 27001 document template.
- Optionally add a reference number place holder
Reference numbers are not required and are optional. If they make sense for you provide a place holder for the reference number of the document.
- Add a version control table
Version control is very important in a document to show the history of that document. Include a version control table in your document template that has columns for the date of the change, how made the change, what change they made and the version number of the document. Include rows in the template as place holders that can be completed.
- Add a last reviewed date place holder
The date of last review may be the date the document was last updated or it may not. A document may not need to be reviewed every-time it is up dated. Be sure to provide a place holder in your ISO 27001 document template for the date the document was last formally reviewed. It is good practice to provide evidence of the review and the easiest way to do this is have the document reviewed and signed off at the management review team meeting and then minuted in the meeting minutes.
- Add a document confidentiality level place holder
The classification of documents is very important and covered under other clauses within the standard but now is a good time to provide a place holder for the document classification. This will be used to apply the appropriate level of controls to the document.
- Use the ISO 27001 document templates to create your actual documents
Use the templates that you have created as a baseline to create your information security management system documents, policies and records of evidence. It is best practice to apply this mark up to all the documents that will be covered by the scope of your ISO 27001 certification. The auditor will check.
- Before you get audited
Check, double check and recheck your documentation before you get audited. The documentation is the primary thing that you will be audited on. Make sure all your version controls are up to date, documents are clean of comments and review mark up, that they have appropriate approvals, appropriate document markup. Ensure that the version control has been touched at least once in the last 12 months before the audit happens.
ISO 27001 Clause 7.5.2 Implementation Guide
There are many ways to document your information security management system. Some are more efficient and proven than others.
Our ISO 27001 toolkit has been built over 20 years and is used globally by thousands of businesses who want to save vast amounts of time and money.
You may be considering an Information Security Management System online solution. These software solutions can be a great help to information security managers in larger organisations but they come at a massive cost.
Which ever route you go .. document everything.
And make sure it is marked up appropriately.
How do you demonstrate compliance to ISO 27001 clause 7.5.2?
But only if those document include the document mark up required and you can evidence the documents were reviewed and approved.
You need the appropriate document mark up and you need to ensure that they are updated at least within the last 12 months.
ISO 27001 Clause 7.5.2 Templates
ISO 27001 templates are a great way to implement your information security management system. Whilst an ISO 27001 toolkit can save you up to 30x in consulting fees and allow you to deliver up to 10x faster these individual templates help meet the specific requirements of ISO 27001 clause 7.5.2
ISO 27001 Clause 7.5.2 FAQ
The ISO 27001 standard requires that documents have a prescribed mark up, are reviewed and approved. The mark up required includes:
d) Version control
e) Document classification
f) Document last reviewed date
g) Document owner
You evidence compliance to the ISO 27001 Clause 7.5.2 by having a good documentation in place that meets the document mark up requirements and is evidenced as being reviewed and approved within the last 12 months.
You can download ISO 27001 7.5.2 templates here: https://hightable.io/product/iso-27001-templates-toolkit/
An example of ISO 27001 Clause 7.5.2 can be found here: https://hightable.io/product/iso-27001-templates-toolkit/
The ISO 27001 documentation templates toolkit can be downloaded here: https://hightable.io/product/communication-plan/
Possibly. If the owner of the document did not make the changes that have been made then yes the document owner can approve the document. As long as the author of the change and the approver are distinct people.
The easiest way to approve documents and evidence that they were approved is to share the documents at the next Management Review Team meeting seeking the sign off. Once agree to minute the decision in the meeting minutes.
ISO 27001 Certification Requirements
ISO27001 Certification Requirements set out clause by clause with these complete beginner’s guides that include everything you need to know, what to do and ISO 27001 templates.
- ISO 27001 Clause 4.1 Understanding The Organisation And Its Context
- ISO 27001 Clause 4.2 Understanding The Needs And Expectations Of Interested Parties
- ISO 27001 Clause 4.3 Determining The Scope Of The Information Security Management System
- ISO 27001 Clause 4.4 Information Security Management System (ISMS)
- ISO 27001 Clause 5.1 Leadership And Commitment
- ISO 27001 Clause 5.2 Information Security Policy
- ISO 27001 Clause 5.3 Organisational Roles, Responsibilities And Authorities
- ISO 27001 Clause 6 Planning
- ISO 27001 Clause 6.1.1 Planning General
- ISO 27001 Clause 6.1.2 Information Security Risk Assessment
- ISO 27001 Clause 6.1.3 Information Security Risk Treatment
- ISO 27001 Clause 6.2.1 Information Security Objectives And Planning To Achieve Them
- ISO 27001 Clause 7.1 Resources
- ISO 27001 Clause 7.2 Competence
- ISO 27001 Clause 7.3 Awareness
- ISO 27001 Clause 7.4 Communication
- ISO 27001 Clause 7.5.1 Documented Information
- ISO 27001 Clause 7.5.2 Creating And Updating Documented Information
- ISO 27001 Clause 7.5.3 Control Of Documented Information
- ISO 27001 Clause 8.1 Operational Planning And Control
- ISO 27001 Clause 8.2 Information Security Risk Assessment
- ISO 27001 Clause 8.3 Information Security Risk Treatment
- ISO 27001 Clause 9.1 Monitoring, Measurement, Analysis, Evaluation
- ISO 27001 Clause 9.2 Internal Audit
- ISO 27001 Clause 9.3 Management Reviews
- ISO 27001 Clause 10.1 Nonconformity And Corrective Action
- ISO 27001 Clause 10.2 Continual Improvement
- Guaranteed ISO 27001 Certification up to 10x Faster and 30x Cheaper
- The Ultimate ISO 27001 TOOLKIT so you can do it yourself
- ISO 27001 Exposed: The facts you must know (Not knowing these could cost you $10,000s!)
- 25 Things You Must Know Before Going for ISO 27001 Certification (Number 3 will blow your mind!)
- The Ultimate Reference Guide to ISO 27001 Controls